Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01 Ran by Marcinia (administrator) on MARCIN (23-08-2016 12:37:17) Running from C:\Users\Marcinia\Downloads Loaded Profiles: Marcinia (Available Profiles: Marcinia & Guest) Platform: Windows 8.1 Pro (X64) Language: Angielski (Stany Zjednoczone) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe (AMD) C:\Windows\System32\atiesrxx.exe (AMD) C:\Windows\System32\atieclxx.exe () C:\Windows\SysWOW64\ASGT.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel(R) Corporation) C:\Program Files\Intel\BCA\pabeSvc64.exe (www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe (McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe (RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe (Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe (Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe (ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe (Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe (RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe () C:\Program Files\Elgato\SoundCapture\SoundCapture.exe (Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe (Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe (Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe (Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (McAfee, Inc.) C:\Program Files\TrueKey\McTkSchedulerService.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\nacl64.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\52.0.2743.116\nacl64.exe (ESET) C:\Program Files\ESET\ESET Smart Security\eOPPFrame.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Elgato Sound Capture] => C:\Program Files\Elgato\SoundCapture\SoundCapture.exe [1259520 2016-05-24] () HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-05-29] (Advanced Micro Devices, Inc.) HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0 HKLM\...\Policies\Explorer: [HideSCAHealth] 0 HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2857248 2016-08-16] (Valve Corporation) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8358680 2015-06-01] (Piriform Ltd) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [HotKeyBind.exe] => C:\Program Files (x86)\HotKeyBind\HotKeyBind.exe [884224 2004-11-15] (Marco Barisione (marco.bari@vene.ws)) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4468056 2015-06-18] (Disc Soft Ltd) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [**ojllf<*>] => "C:\Users\Marcinia\AppData\Local\a71b3\95b72.lnk" <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [AZQworks] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Marcinia\AppData\Local\Apworks\gDrvHelper.dll HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [YdhPack] => regsvr32.exe C:\Users\Marcinia\AppData\Local\YdhPack\CoolXx24.dll <===== ATTENTION HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [uTorrent] => C:\Users\Marcinia\AppData\Roaming\uTorrent\uTorrent.exe [1988096 2016-07-05] (BitTorrent Inc.) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\RunOnce: [Uninstall C:\Users\Marcinia\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Marcinia\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64" HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\RunOnce: [Uninstall C:\Users\Marcinia\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Marcinia\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64" HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Policies\Explorer: [TaskbarNoNotification] 0 HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Policies\Explorer: [HideSCAHealth] 0 HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\MountPoints2: {8323b99c-572e-11e5-827c-d0509922590c} - "D:\setup.exe" HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\MountPoints2: {ed922fa4-5192-11e5-8272-d0509922590c} - "D:\USBAutoRun.exe" Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} => No File Startup: C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf033.lnk [2016-05-14] ShortcutTarget: bf033.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation) Startup: C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRRJXRdZaWFVfMACCcH.lnk [2016-02-05] ShortcutTarget: TRRJXRdZaWFVfMACCcH.lnk -> C:\Users\Marcinia\AppData\Local\Temp\tibia86.exe (No File) BootExecute: autocheck autochk * sh4native Sh4Removal ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 62.179.1.62 62.179.1.63 Tcpip\..\Interfaces\{41A5A743-7236-44B6-87F7-04C33D8214D7}: [DhcpNameServer] 62.179.1.62 62.179.1.63 Tcpip\..\Interfaces\{E2410C28-B2C4-4DA4-A7A9-A11F96209106}: [NameServer] 8.8.8.8,8.8.4.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1 Internet Explorer: ================== HKU\S-1-5-21-1922820034-4019851082-616782839-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION SearchScopes: HKLM-x32 -> DefaultScope value is missing BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation) BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-07-15] (Intel Security) BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation) Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2016-07-15] (Intel Security) FireFox: ======== FF ProfilePath: C:\Users\Marcinia\AppData\Roaming\Mozilla\Firefox\Profiles\hqkq2ajs.default FF DefaultSearchEngine: Yahoo® FF SelectedSearchEngine: Yahoo® FF Homepage: hxxps://www.malwarebytes.org/restorebrowser/ FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-08-06] (Adobe Systems) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.) FF Extension: Microsoft ImageList Control 6.0 (SP6) - C:\Users\Marcinia\AppData\Roaming\Mozilla\Firefox\Profiles\hqkq2ajs.default\Extensions\{2BEC6115-5E1E-D34C-A35B-1CBAFD1F1B65} [2016-05-13] [not signed] FF HKLM-x32\...\Firefox\Extensions: [{40211632-250D-4B8C-B04E-DA45BAE6DF8C}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\coFFPlgn => not found Chrome: ======= CHR HomePage: Default -> hxxp://www.gazeta.allplayer.org/ CHR StartupUrls: Default -> "hxxp://www.google.com/" CHR DefaultSearchURL: Default -> hxxp://feed.safefinder.biz/?fext=true&publisherid=51218&publisher=extensiondefaultap&st=ed&q={searchTerms} CHR DefaultSearchKeyword: Default -> SafeFinder CHR Profile: C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (ImprovedTube - YouTube Extension) - C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default\Extensions\bnomihfieiccainjcjblhegjgglakjdd [2016-07-29] CHR Extension: (AdBlock) - C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-07-29] CHR Extension: (Auto HD For YouTube™) - C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default\Extensions\koiaokdomkpjdgniimnkhgbilbjgpeak [2016-05-25] CHR Extension: (Infinite HD App) - C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default\Extensions\laealigljflmglcgncipdbmbjgjdpiim [2016-06-29] CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02] CHR Extension: (Chrome Media Router) - C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-19] CHR HKU\S-1-5-21-1922820034-4019851082-616782839-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [efhdjkbfpoohkmfaldijcpbnmbpefpkb] - C:\Program Files (x86)\ALLPlayer\AllPlayer.crx [2015-08-31] CHR HKLM-x32\...\Chrome\Extension: [efhdjkbfpoohkmfaldijcpbnmbpefpkb] - C:\Program Files (x86)\ALLPlayer\AllPlayer.crx [2015-08-31] CHR HKLM-x32\...\Chrome\Extension: [jidkebcigjgheaahopdnlfaohgnocfai] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2159320 2016-08-22] (Adobe Systems, Incorporated) R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] () [File not signed] S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1268568 2015-06-18] (Disc Soft Ltd) R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2779136 2016-08-21] (ESET) R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation) R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-03] (Intel Corporation) R2 IntelBCAsvc; C:\Program Files\Intel\BCA\pabeSvc64.exe [3026584 2016-05-06] (Intel(R) Corporation) R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation) R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed] R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [908256 2016-07-14] (McAfee, Inc.) R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [15736 2016-07-14] (McAfee, Inc.) S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86864 2016-07-14] (McAfee, Inc.) R2 Unchecky; C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe [254232 2016-08-22] (RaMMicHaeL) S3 vmicvss; C:\Windows\System32\ICSvc.dll [517120 2013-08-22] (Microsoft Corporation) S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2013-10-31] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2013-10-31] (Microsoft Corporation) S2 tmrkfoj; C:\WINDOWS\System32\zyzkamhd.dll [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-23] (Advanced Micro Devices, Inc.) R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-03-11] (Advanced Micro Devices) R3 dtlitescsibus; C:\Windows\System32\drivers\dtlitescsibus.sys [30264 2015-09-10] (Disc Soft Ltd) R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [263296 2016-08-21] (ESET) S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation) S0 eelam; C:\Windows\System32\DRIVERS\eelam.sys [15488 2016-08-21] (ESET) R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [197288 2016-08-21] (ESET) R2 ekbdflt; C:\Windows\system32\DRIVERS\ekbdflt.sys [153248 2016-08-21] (ESET) R3 ElgatoVAD; C:\Windows\system32\DRIVERS\ElgatoVAD.sys [28800 2016-03-30] (Elgato Systems GmbH) R1 epfw; C:\Windows\system32\DRIVERS\epfw.sys [208552 2016-08-21] (ESET) R1 EpfwLWF; C:\Windows\system32\DRIVERS\EpfwLWF.sys [61608 2016-08-21] (ESET) R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [84640 2016-08-21] (ESET) S3 FlashUSB; C:\Windows\System32\drivers\FlashUSB_x64.sys [20480 2009-05-12] (Danish Wireless Design A/S) S3 ManyCam; C:\Windows\system32\DRIVERS\mcvidrv.sys [49272 2014-12-29] (Visicom Media Inc.) S3 mcaudrv_simple; C:\Windows\system32\drivers\mcaudrv_x64.sys [35960 2014-12-29] (Visicom Media Inc.) R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation) S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42064 2016-02-17] (Anchorfree Inc.) R1 VBoxNetAdp; C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys [117768 2016-01-19] (Oracle Corporation) R1 VBoxNetLwf; C:\Windows\system32\DRIVERS\VBoxNetLwf.sys [194976 2016-01-19] (Oracle Corporation) S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35856 2013-10-31] (Microsoft Corporation) S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [236888 2013-10-31] (Microsoft Corporation) S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2013-10-31] (Microsoft Corporation) S1 bwlhzojn; \??\C:\WINDOWS\system32\drivers\bwlhzojn.sys [X] S1 epp; \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [X] S3 esgiguard; \??\C:\Users\Marcinia\Downloads\SpyHunter 4.21.10.4585 Portable by wood\esgiguard.sys [X] S1 gwbmdsow; \??\C:\WINDOWS\system32\drivers\gwbmdsow.sys [X] R4 IOMap; \??\C:\WINDOWS\system32\drivers\IOMap64.sys [X] S1 wqvidjlq; \??\C:\WINDOWS\system32\drivers\wqvidjlq.sys [X] U3 pxldypog; \??\C:\Users\Marcinia\AppData\Local\Temp\pxldypog.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-08-23 12:37 - 2016-08-23 12:37 - 00018618 _____ C:\Users\Marcinia\Downloads\FRST.txt 2016-08-23 12:35 - 2016-08-23 12:37 - 00000000 ____D C:\FRST 2016-08-23 12:30 - 2016-08-23 12:31 - 02396672 _____ (Farbar) C:\Users\Marcinia\Downloads\FRST64.exe 2016-08-23 12:29 - 2016-08-23 12:34 - 00008229 _____ C:\Users\Marcinia\Desktop\GMER.txt.txt 2016-08-23 12:29 - 2016-08-23 12:29 - 00380928 _____ C:\Users\Marcinia\Downloads\1i7io9xg.exe 2016-08-22 13:11 - 2016-08-22 13:11 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\Marcinia\Downloads\ListCWall.exe 2016-08-22 13:02 - 2016-08-22 13:03 - 00000000 ____D C:\AdwCleaner 2016-08-22 13:01 - 2016-08-22 13:01 - 01452864 _____ (RaMMicHaeL) C:\Users\Marcinia\Downloads\unchecky_setup.exe 2016-08-22 13:01 - 2016-08-22 13:01 - 00000000 ____D C:\ProgramData\Unchecky 2016-08-22 13:01 - 2016-08-22 13:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unchecky 2016-08-22 13:01 - 2016-08-22 13:01 - 00000000 ____D C:\Program Files (x86)\Unchecky 2016-08-22 12:53 - 2016-08-22 12:53 - 03784256 _____ C:\Users\Marcinia\Downloads\AdwCleaner.exe 2016-08-22 12:52 - 2016-08-22 12:53 - 00039386 _____ C:\Users\Marcinia\Downloads\Addition.txt 2016-08-22 12:42 - 2016-08-22 12:43 - 01213352 _____ (SafeBytes Software Inc.) C:\Users\Marcinia\Downloads\TotalSystemCare_Installer.exe 2016-08-22 12:38 - 2016-08-22 12:38 - 03785560 _____ (DLL-Files.com Client ) C:\Users\Marcinia\Downloads\clientsetup_vos-0.exe 2016-08-21 11:24 - 2016-08-21 11:24 - 00153248 _____ (ESET) C:\WINDOWS\system32\Drivers\ekbdflt.sys 2016-08-21 11:24 - 2016-08-21 11:24 - 00061608 _____ (ESET) C:\WINDOWS\system32\Drivers\EpfwLWF.sys 2016-08-19 13:41 - 2016-08-19 13:41 - 00000000 ____D C:\Users\Marcinia\Desktop\Tor Browser 2016-08-18 23:38 - 2016-08-18 23:38 - 00003238 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-08-23 12:26 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\AppReadiness 2016-08-23 12:26 - 2013-08-22 17:20 - 00000000 ____D C:\WINDOWS\CbsTemp 2016-08-23 12:25 - 2015-07-03 22:25 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1922820034-4019851082-616782839-1001 2016-08-23 12:07 - 2015-07-06 13:12 - 02450564 _____ C:\WINDOWS\system32\perfh015.dat 2016-08-23 12:07 - 2015-07-06 13:12 - 00717876 _____ C:\WINDOWS\system32\perfc015.dat 2016-08-23 12:07 - 2015-07-03 22:15 - 00005430 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2016-08-23 12:02 - 2015-07-05 13:37 - 00000000 ____D C:\Program Files (x86)\Steam 2016-08-23 12:02 - 2015-07-03 23:08 - 00001066 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2016-08-23 12:01 - 2013-08-22 16:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2016-08-23 04:42 - 2013-08-22 15:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI 2016-08-23 03:48 - 2015-07-03 23:08 - 00001070 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2016-08-23 00:52 - 2015-08-25 23:44 - 00000000 ____D C:\Users\Marcinia\AppData\Roaming\TS3Client 2016-08-22 22:59 - 2015-09-07 23:53 - 00000000 ____D C:\Program Files\KMSpico 2016-08-22 12:55 - 2015-07-07 22:08 - 00000000 ____D C:\Users\Marcinia\AppData\LocalLow\Temp 2016-08-22 12:33 - 2013-08-22 15:36 - 00000000 ____D C:\WINDOWS\Inf 2016-08-22 12:31 - 2016-05-31 04:32 - 00000000 ____D C:\Program Files\OBS 2016-08-22 12:31 - 2016-05-31 04:32 - 00000000 ____D C:\Program Files (x86)\OBS 2016-08-22 12:31 - 2016-04-17 07:11 - 00000000 ____D C:\ProgramData\Adobe 2016-08-22 12:31 - 2015-07-03 22:11 - 00000000 ____D C:\Users\Marcinia 2016-08-22 12:29 - 2016-05-25 15:25 - 00000000 ____D C:\Program Files\Common Files\Adobe 2016-08-22 12:23 - 2016-01-08 08:34 - 00000000 ____D C:\ProgramData\TechSmith 2016-08-22 12:23 - 2015-09-07 00:45 - 00000000 ____D C:\Users\Marcinia\Desktop\Zarabianie 2016-08-22 02:00 - 2015-11-10 18:35 - 00000000 ____D C:\Users\Marcinia\AppData\Local\Adobe 2016-08-21 11:24 - 2015-07-30 12:41 - 00263296 _____ (ESET) C:\WINDOWS\system32\Drivers\eamonm.sys 2016-08-21 11:24 - 2015-07-30 12:41 - 00208552 _____ (ESET) C:\WINDOWS\system32\Drivers\epfw.sys 2016-08-21 11:24 - 2015-07-30 12:41 - 00197288 _____ (ESET) C:\WINDOWS\system32\Drivers\ehdrv.sys 2016-08-21 11:24 - 2015-07-30 12:41 - 00084640 _____ (ESET) C:\WINDOWS\system32\Drivers\epfwwfp.sys 2016-08-21 11:24 - 2015-07-30 12:41 - 00015488 _____ (ESET) C:\WINDOWS\system32\Drivers\eelam.sys 2016-08-18 23:38 - 2016-04-21 07:30 - 00002351 _____ C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive dla Firm.lnk 2016-08-18 23:38 - 2015-09-06 14:14 - 00003182 _____ C:\WINDOWS\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1922820034-4019851082-616782839-1001 2016-08-18 23:38 - 2015-07-08 02:40 - 00000000 ____D C:\Users\Marcinia\AppData\Roaming\Skype 2016-08-17 16:37 - 2015-09-14 00:28 - 00000000 ____D C:\Users\Marcinia\AppData\Local\CrashDumps 2016-08-11 07:00 - 2015-07-05 14:12 - 00000000 ____D C:\WINDOWS\system32\MRT 2016-08-11 06:58 - 2015-07-05 14:12 - 147640136 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe 2016-08-10 10:16 - 2013-08-22 17:36 - 00000000 ___HD C:\Program Files\WindowsApps 2016-08-08 21:49 - 2015-07-03 23:08 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2016-08-03 03:32 - 2016-04-17 07:11 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk 2016-07-29 00:43 - 2015-07-03 23:08 - 00004042 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA 2016-07-29 00:43 - 2015-07-03 23:08 - 00003806 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore 2016-07-26 23:42 - 2015-07-03 22:20 - 00000000 ____D C:\Users\Marcinia\AppData\Roaming\Adobe ==================== Files in the root of some directories ======= 1602-05-15 16:07 - 1602-05-15 16:07 - 0004924 _____ () C:\Users\Marcinia\AppData\Roaming\-H2kh7EUAp.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0127876 _____ () C:\Users\Marcinia\AppData\Roaming\9bMSRfc3nd.cerber 2016-02-04 00:18 - 2016-02-04 00:18 - 0697360 ___SH () C:\Users\Marcinia\AppData\Roaming\AZWIQObFgKSgUfEYL 1602-05-15 16:07 - 1602-05-15 16:07 - 6494620 _____ () C:\Users\Marcinia\AppData\Roaming\bapBplEat2.cerber 1997-02-18 02:00 - 1997-02-18 02:00 - 0002345 _____ () C:\Users\Marcinia\AppData\Roaming\Bathyscape.aCP 1994-08-23 01:00 - 1994-08-23 01:00 - 0126185 _____ () C:\Users\Marcinia\AppData\Roaming\Caribou.cpt 2016-05-13 18:24 - 2016-05-14 10:30 - 0126976 _____ () C:\Users\Marcinia\AppData\Roaming\cookies.sqlite 1602-05-15 16:07 - 1602-05-15 16:07 - 0000796 _____ () C:\Users\Marcinia\AppData\Roaming\Dkk_AGqKNN.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0000482 _____ () C:\Users\Marcinia\AppData\Roaming\fBDL6VNuGv.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0126842 _____ () C:\Users\Marcinia\AppData\Roaming\fMBiN_cDJf.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0000430 _____ () C:\Users\Marcinia\AppData\Roaming\GtJqbKKaI9.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0005942 _____ () C:\Users\Marcinia\AppData\Roaming\gWVBj7acDS.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0018810 _____ () C:\Users\Marcinia\AppData\Roaming\hADoDY1aGA.cerber 2016-05-13 17:44 - 2016-05-13 17:44 - 1626652 _____ () C:\Users\Marcinia\AppData\Roaming\Holddex.tst 1602-05-15 16:07 - 1602-05-15 16:07 - 0000796 _____ () C:\Users\Marcinia\AppData\Roaming\q7Q1PL4Z_0.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0065614 _____ () C:\Users\Marcinia\AppData\Roaming\ShjUVq0rgD.cerber 2016-02-04 00:18 - 2016-02-04 00:18 - 0061515 ___SH () C:\Users\Marcinia\AppData\Roaming\TRRJXRdZaWFVfMACCcH.au3 1602-05-15 16:07 - 1602-05-15 16:07 - 0014868 _____ () C:\Users\Marcinia\AppData\Roaming\wOXSofHjJU.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 2279970 _____ () C:\Users\Marcinia\AppData\Roaming\zGv-fxJiAS.cerber 2016-03-18 16:49 - 2016-03-18 16:50 - 0016960 ____T (Un4seen Developments) C:\Users\Marcinia\AppData\Roaming\Microsoft\1eaadjc.dll 2016-03-18 16:52 - 2016-03-18 16:52 - 0218624 ____T (MultiMedia Soft) C:\Users\Marcinia\AppData\Roaming\Microsoft\AdjMmsVista.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0018724 ____T () C:\Users\Marcinia\AppData\Roaming\Microsoft\bass.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0014392 ____T (Un4seen Developments) C:\Users\Marcinia\AppData\Roaming\Microsoft\kfgresk.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0014456 ____T () C:\Users\Marcinia\AppData\Roaming\Microsoft\mjcriu.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0010816 ____T (Un4seen Developments) C:\Users\Marcinia\AppData\Roaming\Microsoft\peaadje.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0028760 ____T ((: JOBnik! :) [Arthur Aminov, ISRAEL]) C:\Users\Marcinia\AppData\Roaming\Microsoft\qwadjb.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0015424 ____T (Un4seen Developments) C:\Users\Marcinia\AppData\Roaming\Microsoft\rsaadjd.dll 2016-03-18 16:49 - 2016-03-18 16:50 - 0098872 ____T (Un4seen Developments) C:\Users\Marcinia\AppData\Roaming\Microsoft\~DFK46a4abc.tmp 2016-03-18 16:49 - 2016-03-18 16:49 - 0003584 _____ () C:\Users\Marcinia\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2016-03-11 21:27 - 2016-03-11 21:30 - 0007593 _____ () C:\Users\Marcinia\AppData\Local\Resmon.ResmonCfg 2015-09-21 21:02 - 2015-09-21 21:02 - 0000000 ____H () C:\ProgramData\DP45977C.lfl 2016-05-25 22:30 - 2014-04-30 16:53 - 0019535 _____ () C:\ProgramData\empty.ico Some files in TEMP: ==================== C:\Users\Marcinia\AppData\Local\Temp\libeay32.dll C:\Users\Marcinia\AppData\Local\Temp\msvcr120.dll C:\Users\Marcinia\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-08-15 05:12 ==================== End of FRST.txt ============================